For an effective network security apparatus to be in place, it is important to understand the central concepts associated with it and the implied technologies and processes around it that make it robust and resilient to cyber attacks. Today, some of the common challenges that security professionals face is the lack of a clear distinction between the devices in their infrastructure and the data that they hold or process. This is further complicated when the visibility is blurred by not having a demarcation of the various network boundaries. Today, we have evolved networks with components such as IoT, Industrial IoT (IIoT), and cloud computing, which have further added to the network complexity.
Network security in itself touches upon various attributes of security controls that a security professional should take into account, such as security gateways, SSL inspection, threat prevention engines, policy enforcement, cloud security solutions, threat detection and insights, attack analysis w.r.t frameworks, and so on.
Therefore, it is important, as a network security professional, to not only have clear visibility of your network but also understand the effectiveness of your security products/solutions. The following subsections will help us get familiar with the key terms and components of network security.
Network security concepts
As a network security professional, you should have a good understanding of major concepts such as the different attributes of network security, different types of network attacks, the fundamentals of a firewall's intrusion-detection/intrusion-prevention systems, the fundamentals of encryption and virtual private networks, operating system hardening, and many more.
Conceptually, cybersecurity focuses on the following attributes for foundational maturity, something that we will investigate deeply later in this book:
- Authentication: The process of verifying the identity of a user or process.
- Authorization: This is the process of validating the rights/privileges that a user has for a resource.
- Confidentiality: This refers to protecting information (data and system) from being accessed by unauthorized parties.
- Availability: This refers to data and systems being available for use.
- Integrity: This refers to maintaining the accuracy, consistency, and trustworthiness of data over its entire life cycle.
- Non-repudiation: This refers to the ability to assure that the sender accepts the authenticity of their signature message.
- Resilience: This refers to the ability of an entity to deliver the intended outcome continuously, despite adverse cyber events.
Before proceeding further, please ensure that you are familiar with the following concepts:
- OSI reference model: 7 layers and their corresponding functions and TCP/IP model
- Networking protocols and concepts: Proxies, security zones, DMZ, subnetting, and NAT/PAT
- Network connectivity devices: Firewall, DLP, IDS/IPS, and load balancer
- Common threats to network security: Virus, worms, trojans, RAT, sniffing, session hijacking, and DoS/DDoS
Next, we will take a look at the various attributes of network security and how to conduct continuous improvements and post-deployment analysis.
Network security components
A foundational well-thought-out network security architecture is key to an efficient, effective, and secure network infrastructure. Often, organizations face reliability issues, performance issues, cyber disruptions, and security incidents due to loopholes in the network architecture. Organizations should focus on areas such as network segmentation, adequate access controls, Defense-in-Depth (DiD), and the implementation of least privileges from a design perspective to begin with.
The first step in defending/protecting a network is to understand what that network comprises, how its elements communicate, and the architecture. Although there are many major frameworks available for implementing best practices for network design, each organization has different operational objectives and business goals, due to which contextualization and applying the best bit for the purpose of analysis needs to be done by a security architect.
As a best practice, break down all the security controls in the organization into major blocks and test each one. This allows you to validate their effectiveness and understand the improvement areas or security gaps. The overall blocks can be Identify, Detect, Protect, Respond, Recover, and Comply:
| Identify | Detect | Protect | Respond | Recover | Comply |
| Breach Stimulation | SOC 1 and SOC 2 | Security Awareness Training | SOAR | Data Backup | ISO Requirements |
| Red and Purple Teaming Exercise | Threat Hunting | SecDevOps | Digital Forensics | Data Recovery | GDPR/PIMS/and so on |
| Cloud Breach Stimulation | Threat Intel | CASB | Incident Response | Cyber Resilience | National and Regional Policies |
| Web/Mobile Application Attacks | Attack Surface Monitoring | WAF Assessment | Cyber Incident Response Team Assessment | BCP and DR | Industry and Regulatory Requirements and Mandates |
| Infrastructure Security Attacks | Cloud Security Monitoring | Third-Party Vendor Assessment | |||
| Security Architecture and Configuration review | SIEM and SOC Detection Assessment | Data Security and Classification | |||
| IoT and IIoT Security | UEBA | Identity and Access Management |
The preceding table shows the key components of a network security program and the solutions that should be (ideally) present in those components to give it holistic coverage against threats. Some of the key topics that organizations should focus on, to begin with, will be discussed in the following subsections.
Network and system hardening
One of the most fundamental security principals that a lot of organizations miss is reducing or restricting the attack surface. This includes changing the default configurations and the lack of system hardening. Some of the ways in which system hardening can be implemented include disabling default services, restricting default permissions that start up with power on, default usernames and passwords, open ports, and so on.
Concerning passwords and credentials, a policy must be developed that enforces the usage of complex passwords with more than an eight-character limit with the mandated usage of numeric values, capital letters, and special characters. A password change policy must also be in place.
Network segmentation
Network segmentation refers to segregating a network into sub-networks with the aim of improving performance and security (a reduced attack surface and grouping systems with similar security needs). This can be achieved by implementing firewalls, a virtual local area network (LAN), and software-defined networking (SDN), to name a few.
Proper network segmentation will allow the organization to segregate low-priority and low-trust network areas from the rest of the infrastructure or critical network segments, thus preventing widespread impact in the event of a cyber attack. This also helps with utilizing security monitoring platforms and access controls for the most business-critical segments of the organization.
Network choke-points
One of the major differentiating aspects between a fragile and resilient cybersecurity program is the strategy and approach toward building a comprehensive foundation. This foundation can be built only by having a clear visualization of the logical and technological layout of the environment. For example, identifying and adequately monitoring bottlenecks and choke-points can often help us discover larger and deeper problems in the network's foundation.
In military terms, a choke-point is a location on land or sea (a valley or a strait) where the military is forced to pass through a narrow column, which makes it easier for an opposing force to take them out with ease. Technically, this is a shooting a fish in a barrel kind of situation. In networking terms, a similar situation is faced when the data flow of a network is restricted due to bandwidth or application constraints.
From a network security standpoint, common examples include implementing a firewall for an internet-facing site or a load balancer that reroutes traffic based on bandwidth consumption. In the case of a Distributed Denial of Service (DDOS) or Denial of Service (DOS) attack, this can add to cyber resiliency. Today, we can build such scalable and highly available load balancers over the cloud by using services such as Google Cloud.
Defense-in-Depth
This is an implementation approach where multiple layers of security or defensive controls throughout the environment or landscape have redundancy in case of a security incident. This is also known as the castle approach. The reason why this approach is important is that it takes the weight off a single security/defensive control and supplements/compliments the security strategy by having multiple independent controls in place at different layers.
Originally, this was a military strategy, also known as deep in defense, that sought to hinder the movement of enemy forces. The focus is not on stopping them entirely via a frontal assault but by buying time and slowing down the attack's progression.
This is an effective measure as it often results in the attacker losing momentum over a period of time due to no-or-less progress. This vital time can be used to mount an attack on the assault forces or reenforce the defenses of the defending team.
Due diligence and cyber resilience
An organization must have a cybersecurity program that aims to annually review the cyber resilience of the organization's network. This is important from various aspects. First, this ensures that the operations team is ensuring due care and due diligence across the network. Second, this gives the leadership and operations team visibility into how the network has evolved over this period and what new changes have been made, how they impact the network topology, and how this changes the threat landscape for the organization in terms of new threats and vulnerability susceptibility that may stem from these changes. This also helps in mapping the relevancy of the security controls and level of compliance.
Soft targets
There is an English phrase that states a chain is no stronger than its weakest link, which means that a group is only as strong as its weakest link. In networking terms, this holds to the core, as discussed and explored in the preceding section. You, as a network security expert, need to identify and account for a single point of failure and implement a highly dependable process that will be put in place to mitigate such instances. We should also ensure that the appropriate controls are implemented around such susceptible resources of the network, as per their risk profile.
Continuous monitoring and improvement
Proactive network scanning should be implemented to hunt for unauthorized devices in the network and to monitor for suspicious activity in the network. This would ultimately lead to the requirement of a well-defined incident response mechanism.
Being a critical operational function, NOC also needs to aim for continuous improvement concerning processes, approaches, and turnaround time to showcase business outcomes and value creation.
Post-deployment review
The major focus here is to verify whether all the deployments are accurate and operate as expected. The idea is to evaluate the actual versus expected levels of service delivery and performance.
Now that we are familiar with the various network security concepts and their key components, next, we will take a look at the systematic approach that organizations should follow for a comprehensive network security architecture.